Prevent port scanning from KVM to internet

[FlorinMarian]

Hi, there!
I would like to know if exists such a solution to implement at host level any kind of software to detect users who are using our IPs for port scanning and brute forcing servers over the internet.
Unfortunately we're very close to lose our leased /24 subnet and we need such a solution to avoid this situation.
Any tip is welcome.
Thank you!

 

[oguz]

hi,

I would like to know if exists such a solution to implement at host level any kind of software to detect users who are using our IPs for port scanning and brute forcing servers over the internet.

port scans would trigger a lot of packets to large number of ports on different hosts.

detection methods can be anything from monitoring for simple thresholds and patterns, (e.g. number of ports connected to from a single origin over a period of time), to anomaly models based on expected network behavior.

Any tip is welcome.

i've heard of:
* scanlogd (around for a long time)
* sentry tools (portsentry, logsentry, hostsentry etc.)
* IDS/IPS systems like suricata or snort (both are open source as well)

hope this helps!

 

[FlorinMarian]

hi,


port scans would trigger a lot of packets to large number of ports on different hosts.

detection methods can be anything from monitoring for simple thresholds and patterns, (e.g. number of ports connected to from a single origin over a period of time), to anomaly models based on expected network behavior.


i've heard of:
* scanlogd (around for a long time)
* sentry tools (portsentry, logsentry, hostsentry etc.)
* IDS/IPS systems like suricata or snort (both are open source as well)

hope this helps!

Thank you for help!
Suricata seems promising.
Anyone have idea where I can find rules to defend outbound SSH brute force & port scanning?
Thank you!

 

[oguz]

Anyone have idea where I can find rules to defend outbound SSH brute force & port scanning?

for example:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

from [0] (they have a bunch of other ones there). the rule here should be matching a TCP SYN scan (flags:SF,12)

[0]: https://github.com/jpalanco/alienva...ules/1.3.1/emerging.rules/emerging-scan.rules

 

[FlorinMarian]

for example:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

from [0] (they have a bunch of other ones there). the rule here should be matching a TCP SYN scan (flags:SF,12)

[0]: https://github.com/jpalanco/alienva...ules/1.3.1/emerging.rules/emerging-scan.rules

Isn't this rule for inbound traffic?

 

[oguz]

Isn't this rule for inbound traffic?

yes but you can just swap the networks in the rule

 

[FlorinMarian]

Hello!
Does anyone have any idea if the maximum number of external connections to a certain port can be controlled from the proxmox Firewall or from Suricata, but without saying which port it is?
Automatically track external connections for each port in order to discover the scans coming from my clients depending on the port.
Solving this for port 22 alone is not a solution, unfortunately.